cybernews

fuite de donnée enregistrée

Latest News


CVE-2025-37108 - "HPE Telco Service Activator Cross-Site Scripting Vulnerability"

CVE ID : CVE-2025-37108
Published : July 31, 2025, 8:15 p.m. | 49 minutes ago
Description : Cross-site scripting vulnerability has been identified in HPE Telco Service Activator product
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 20:15:00 GMT

read more

CVE-2025-37109 - HPE Telco Service Activator Cross-Site Scripting Vulnerability

CVE ID : CVE-2025-37109
Published : July 31, 2025, 8:15 p.m. | 49 minutes ago
Description : Cross-site scripting vulnerability has been identified in HPE Telco Service Activator product
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 20:15:00 GMT

read more

CVE-2025-37110 - HPE Telco Network Function Virtual Orchestrator Information Disclosure

CVE ID : CVE-2025-37110
Published : July 31, 2025, 8:15 p.m. | 49 minutes ago
Description : A vulnerability was discovered in the storage policy for certain sets of sensitive credential information in the HPE Telco Network Function Virtual Orchestrator. Successful Exploitation could lead to unauthorized parties gaining access to sensitive system information.
Severity: 6.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 20:15:00 GMT

read more

CVE-2025-37111 - HPE Telco Network Function Virtual Orchestrator Authentication Key Storage Policy Information Disclosure

CVE ID : CVE-2025-37111
Published : July 31, 2025, 8:15 p.m. | 49 minutes ago
Description : A vulnerability was discovered in the storage policy for certain sets of authentication keys in the HPE Telco Network Function Virtual Orchestrator. Successful Exploitation could lead to unauthorized parties gaining access to sensitive system information.
Severity: 6.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 20:15:00 GMT

read more

CVE-2025-37112 - HPE Telco Network Function Virtual Orchestrator Key Storage Policy Information Disclosure

CVE ID : CVE-2025-37112
Published : July 31, 2025, 8:15 p.m. | 49 minutes ago
Description : A vulnerability was discovered in the storage policy for certain sets of encryption keys in the HPE Telco Network Function Virtual Orchestrator. Successful Exploitation could lead to unauthorized parties gaining access to sensitive system information.
Severity: 6.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 20:15:00 GMT

read more

CVE-2025-45769 - PHP JWT Weak Encryption Vulnerability

CVE ID : CVE-2025-45769
Published : July 31, 2025, 8:15 p.m. | 49 minutes ago
Description : php-jwt v6.11.0 was discovered to contain weak encryption.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 20:15:00 GMT

read more

CVE-2025-45770 - "Auth0 JWT Weak Encryption Vulnerability"

CVE ID : CVE-2025-45770
Published : July 31, 2025, 8:15 p.m. | 49 minutes ago
Description : jwt v5.4.3 was discovered to contain weak encryption.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 20:15:00 GMT

read more

CVE-2025-50572 - Archer Technology RSA Archer Code Execution Vulnerability

CVE ID : CVE-2025-50572
Published : July 31, 2025, 8:15 p.m. | 49 minutes ago
Description : An issue was discovered in Archer Technology RSA Archer 6.11.00204.10014 allowing attackers to execute arbitrary code via crafted system inputs that would be exported into the CSV and be executed after the user opened the file with compatible applications.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 20:15:00 GMT

read more

CVE-2025-8286 - Güralp FMUS series Telnet Command Injection Vulnerability

CVE ID : CVE-2025-8286
Published : July 31, 2025, 8:15 p.m. | 49 minutes ago
Description : Güralp FMUS series seismic monitoring devices expose an unauthenticated Telnet-based command line interface that could allow an attacker to modify hardware configurations, manipulate data, or factory reset the device.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 20:15:00 GMT

read more

CVE-2025-26062 - Intelbras RX1500/3000 Unauthenticated Access to Settings File

CVE ID : CVE-2025-26062
Published : July 31, 2025, 7:15 p.m. | 1 hour, 49 minutes ago
Description : An access control issue in Intelbras RX1500 v2.2.9 and RX3000 v1.0.11 allows unauthenticated attackers to access the router's settings file and obtain potentially sensitive information from the current settings.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 19:15:00 GMT

read more

CVE-2025-26063 - Intelbras RX1500/3000 - Unauthenticated Remote Code Execution Vulnerability

CVE ID : CVE-2025-26063
Published : July 31, 2025, 7:15 p.m. | 1 hour, 49 minutes ago
Description : An issue in Intelbras RX1500 v2.2.9 and RX3000 v1.0.11 allows unauthenticated attackers to execute arbitrary code via injecting a crafted payload into the ESSID name when creating a network.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 19:15:00 GMT

read more

CVE-2025-26064 - Intelbras RX1500/RX3000 Cross-Site Scripting Vulnerability

CVE ID : CVE-2025-26064
Published : July 31, 2025, 7:15 p.m. | 1 hour, 49 minutes ago
Description : A cross-site scripting (XSS) vulnerability in Intelbras RX1500 v2.2.9 and RX3000 v1.0.11 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name of a connnected device.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 19:15:00 GMT

read more

CVE-2025-51383 - D-Link DI-8200 Buffer Overflow Vulnerability

CVE ID : CVE-2025-51383
Published : July 31, 2025, 6:15 p.m. | 2 hours, 49 minutes ago
Description : D-LINK DI-8200 16.07.26A1 is vulnerable to Buffer Overflow in the ipsec_road_asp function via the host_ip parameter.
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 18:15:00 GMT

read more

CVE-2025-51384 - D-Link DI-8200 IPsec Buffer Overflow

CVE ID : CVE-2025-51384
Published : July 31, 2025, 6:15 p.m. | 2 hours, 49 minutes ago
Description : D-LINK DI-8200 16.07.26A1 is vulnerable to Buffer Overflow in the ipsec_net_asp function via the remot_ip parameter.
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 18:15:00 GMT

read more

CVE-2025-51385 - D-Link DI-8200 Buffer Overflow Vulnerability

CVE ID : CVE-2025-51385
Published : July 31, 2025, 6:15 p.m. | 2 hours, 49 minutes ago
Description : D-LINK DI-8200 16.07.26A1 is vulnerable to Buffer Overflow in the yyxz_dlink_asp function via the id parameter.
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 18:15:00 GMT

read more

CVE-2025-51503 - Microweber CMS Stored Cross-Site Scripting (XSS)

CVE ID : CVE-2025-51503
Published : July 31, 2025, 6:15 p.m. | 2 hours, 49 minutes ago
Description : A Stored Cross-Site Scripting (XSS) vulnerability in Microweber CMS 2.0 allows attackers to inject malicious scripts into user profile fields, leading to arbitrary JavaScript execution in admin browsers.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 18:15:00 GMT

read more

CVE-2025-54832 - OPEXUS FOIAXpress Arbitrary State/Territory Modification Vulnerability

CVE ID : CVE-2025-54832
Published : July 31, 2025, 6:15 p.m. | 2 hours, 49 minutes ago
Description : OPEXUS FOIAXpress Public Access Link (PAL), version v11.1.0, allows an authenticated user to add entries to the list of states and territories.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 18:15:00 GMT

read more

CVE-2025-54833 - OPEXUS FOIAXpress Bypass Account-Lockout and CAPTCHA Protection Vulnerability

CVE ID : CVE-2025-54833
Published : July 31, 2025, 6:15 p.m. | 2 hours, 49 minutes ago
Description : OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows attackers to bypass account-lockout and CAPTCHA protections. Unauthenticated remote attackers can more easily brute force passwords.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 18:15:00 GMT

read more

CVE-2025-54834 - OPEXUS FOIAXpress Information Disclosure Vulnerability

CVE ID : CVE-2025-54834
Published : July 31, 2025, 6:15 p.m. | 2 hours, 49 minutes ago
Description : OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows an unauthenticated, remote attacker to query the /App/CreateRequest.aspx endpoint to check for the existence of valid usernames. There are no rate-limiting mechanisms in place.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 18:15:00 GMT

read more

CVE-2025-8426 - Marvell QConvergeConsole Directory Traversal and Information Disclosure/DoS

CVE ID : CVE-2025-8426
Published : July 31, 2025, 6:15 p.m. | 2 hours, 49 minutes ago
Description : Marvell QConvergeConsole compressConfigFiles Directory Traversal Information Disclosure and Denial-of-Service Vulnerability. This vulnerability allows remote attackers to disclose sensitive information or to create a denial-of-service condition on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the compressConfigFiles method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose sensitive information or to create a denial-of-service condition on the system. Was ZDI-CAN-24915.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 18:15:00 GMT

read more

CVE-2024-34327 - Sielox AnyWare SQL Injection

CVE ID : CVE-2024-34327
Published : July 31, 2025, 5:15 p.m. | 3 hours, 49 minutes ago
Description : Sielox AnyWare v2.1.2 was discovered to contain a SQL injection vulnerability via the email address field of the password reset form.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 17:15:00 GMT

read more

CVE-2025-50866 - CloudClassroom-PHP Project 1.0 Reflected Cross-site Scripting (XSS)

CVE ID : CVE-2025-50866
Published : July 31, 2025, 5:15 p.m. | 3 hours, 49 minutes ago
Description : CloudClassroom-PHP-Project 1.0 contains a reflected Cross-site Scripting (XSS) vulnerability in the email parameter of the postquerypublic endpoint. Improper sanitization allows an attacker to inject arbitrary JavaScript code that executes in the context of the user s browser, potentially leading to session hijacking or phishing attacks.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 17:15:00 GMT

read more

CVE-2025-50867 - CloudClassroom-PHP-Project SQL Injection

CVE ID : CVE-2025-50867
Published : July 31, 2025, 4:15 p.m. | 4 hours, 49 minutes ago
Description : A SQL Injection vulnerability exists in the takeassessment2.php endpoint of the CloudClassroom-PHP-Project 1.0, where the Q5 POST parameter is directly embedded in SQL statements without sanitization.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 16:15:00 GMT

read more

CVE-2025-52203 - DevaslanPHP Stored XSS

CVE ID : CVE-2025-52203
Published : July 31, 2025, 4:15 p.m. | 4 hours, 49 minutes ago
Description : A stored cross-site scripting (XSS) vulnerability exists in DevaslanPHP project-management v1.2.4. The vulnerability resides in the Ticket Name field, which fails to properly sanitize user-supplied input. An authenticated attacker can inject malicious JavaScript payloads into this field, which are subsequently stored in the database. When a legitimate user logs in and is redirected to the Dashboard panel "automatically upon authentication the malicious script executes in the user's browser context.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 16:15:00 GMT

read more

CVE-2025-8409 - "Code-projects Vehicle Management SQL Injection"

CVE ID : CVE-2025-8409
Published : July 31, 2025, 4:15 p.m. | 4 hours, 49 minutes ago
Description : A vulnerability has been found in code-projects Vehicle Management 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /filter.php. The manipulation of the argument from leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 16:15:00 GMT

read more

CVE-2025-29556 - ExaGrid EX10 Incorrect Access Control Bypass

CVE ID : CVE-2025-29556
Published : July 31, 2025, 4:15 p.m. | 3 hours, 10 minutes ago
Description : ExaGrid EX10 6.3 - 7.0.1.P08 is vulnerable to Incorrect Access Control. Since version 6.3, ExaGrid enforces restrictions preventing users with the Admin role from creating or modifying users with the Security Officer role without approval. However, a flaw in the account creation process allows an attacker to bypass these restrictions via API request manipulation. An attacker with an Admin access can intercept and modify the API request during user creation, altering the parameters to assign the new account to the ExaGrid Security Officers group without the required approval.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 16:15:00 GMT

read more

CVE-2025-46809 - SUSE Multi Linux Manager HTTP Proxy Credentials Disclosure

CVE ID : CVE-2025-46809
Published : July 31, 2025, 4:15 p.m. | 3 hours, 10 minutes ago
Description : A Insertion of Sensitive Information into Log File vulnerability in SUSE Multi Linux Manager exposes the HTTP proxy credentials. This issue affects Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: from ? before 5.0.27-150600.3.33.1; Image SLES15-SP4-Manager-Server-4-3-BYOS: from ? before 4.3.87-150400.3.110.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure: from ? before 4.3.87-150400.3.110.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2: from ? before 4.3.87-150400.3.110.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE: from ? before 4.3.87-150400.3.110.2; SUSE Manager Server Module 4.3: from ? before 4.3.87-150400.3.110.2.
Severity: 5.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 16:15:00 GMT

read more

CVE-2025-50847 - CS Cart CSRF Add Product to Comparison List

CVE ID : CVE-2025-50847
Published : July 31, 2025, 4:15 p.m. | 3 hours, 10 minutes ago
Description : Cross Site Request Forgery (CSRF) vulnerability in CS Cart 4.18.3, allows attackers to add products to a user's comparison list via a crafted HTTP request.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 16:15:00 GMT

read more

CVE-2025-50848 - "CS Cart Cross-Site Scripting (XSS) File Upload Vulnerability"

CVE ID : CVE-2025-50848
Published : July 31, 2025, 4:15 p.m. | 3 hours, 10 minutes ago
Description : A file upload vulnerability was discovered in CS Cart 4.18.3, allows attackers to execute arbitrary code. CS Cart 4.18.3 allows unrestricted upload of HTML files, which are rendered directly in the browser when accessed. This allows an attacker to upload a crafted HTML file containing malicious content, such as a fake login form for credential harvesting or scripts for Cross-Site Scripting (XSS) attacks. Since the content is served from a trusted domain, it significantly increases the likelihood of successful phishing or script execution against other users.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 16:15:00 GMT

read more

CVE-2025-50850 - CS Cart Brute Force Vendor Login

CVE ID : CVE-2025-50850
Published : July 31, 2025, 4:15 p.m. | 3 hours, 10 minutes ago
Description : An issue was discovered in CS Cart 4.18.3 allows the vendor login functionality lacks essential security controls such as CAPTCHA verification and rate limiting. This allows an attacker to systematically attempt various combinations of usernames and passwords (brute-force attack) to gain unauthorized access to vendor accounts. The absence of any blocking mechanism makes the login endpoint susceptible to automated attacks.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 16:15:00 GMT

read more

CVE-2025-34146 - SandboxJS Prototype Pollution Vulnerability

CVE ID : CVE-2025-34146
Published : July 31, 2025, 3:15 p.m. | 4 hours, 10 minutes ago
Description : A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service (DoS) condition or, under certain conditions, escape the sandboxed environment intended to restrict code execution. The vulnerability stems from insufficient prototype access checks in the sandbox’s executor logic, particularly in the handling of JavaScript function objects returned.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2025-50270 - AnQiCMS Stored XSS

CVE ID : CVE-2025-50270
Published : July 31, 2025, 3:15 p.m. | 4 hours, 10 minutes ago
Description : A stored Cross Site Scripting (xss) vulnerability in the "content management" feature in AnQiCMS v.3.4.11 allows a remote attacker to execute arbitrary code via a crafted script to the title, categoryTitle, and tmpTag parameters.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2025-50475 - Russound MBX-PRE-D67F OS Command Injection Vulnerability

CVE ID : CVE-2025-50475
Published : July 31, 2025, 3:15 p.m. | 4 hours, 10 minutes ago
Description : An OS command injection vulnerability exists in Russound MBX-PRE-D67F firmware version 3.1.6, allowing unauthenticated attackers to execute arbitrary commands as root via crafted input to the hostname parameter in network configuration requests. This vulnerability stems from improper neutralization of special elements used in an OS command within the network configuration handler, enabling remote code execution with the highest privileges.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2025-50849 - CS Cart IDOR

CVE ID : CVE-2025-50849
Published : July 31, 2025, 3:15 p.m. | 4 hours, 10 minutes ago
Description : CS Cart 4.18.3 is vulnerable to Insecure Direct Object Reference (IDOR). The user profile functionality allows enabling or disabling stickers through a parameter (company_id) sent in the request. However, this operation is not properly validated on the server side. An authenticated user can manipulate the request to target other users' accounts and toggle the sticker setting by modifying the company_id or other object identifiers.
Severity: 8.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2025-51569 - LB-Link BL-CPE300M Router Cross-Site Scripting Vulnerability

CVE ID : CVE-2025-51569
Published : July 31, 2025, 3:15 p.m. | 4 hours, 10 minutes ago
Description : A cross-site scripting (XSS) vulnerability exists in the LB-Link BL-CPE300M 01.01.02P42U14_06 router's web interface. The /goform/goform_get_cmd_process endpoint fails to sanitize user input in the cmd parameter before reflecting it into a text/html response. This allows unauthenticated attackers to inject arbitrary JavaScript, which is executed in the context of the router's origin when the crafted URL is accessed. The issue requires user interaction to exploit.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2025-52289 - MagnusBilling Broken Access Control Vulnerability

CVE ID : CVE-2025-52289
Published : July 31, 2025, 3:15 p.m. | 4 hours, 10 minutes ago
Description : A Broken Access Control vulnerability in MagnusBilling v7.8.5.3 allows newly registered users to gain escalated privileges by sending a crafted request to /mbilling/index.php/user/save to set their account status fom "pending" to "active" without requiring administrator approval.
Severity: 8.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2025-8408 - Apache Vehicle Management SQL Injection

CVE ID : CVE-2025-8408
Published : July 31, 2025, 3:15 p.m. | 4 hours, 10 minutes ago
Description : A vulnerability, which was classified as critical, was found in code-projects Vehicle Management 1.0. Affected is an unknown function of the file /filter1.php. The manipulation of the argument vehicle leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2014-125121 - Array Networks vAPV/vxAG SSH Privilege Escalation Vulnerability

CVE ID : CVE-2014-125121
Published : July 31, 2025, 3:15 p.m. | 2 hours, 44 minutes ago
Description : Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of hardcoded SSH credentials (or SSH private key) and insecure permissions on a startup script. The devices ship with a default SSH login or a hardcoded DSA private key, allowing an attacker to authenticate remotely with limited privileges. Once authenticated, an attacker can overwrite the world-writable /ca/bin/monitor.sh script with arbitrary commands. Since this script is executed with elevated privileges through the backend binary, enabling the debug monitor via backend -c "debug monitor on" triggers execution of the attacker's payload as root. This allows full system compromise.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2014-125122 - Linksys WRT120N Remote Stack Buffer Overflow Vulnerability

CVE ID : CVE-2014-125122
Published : July 31, 2025, 3:15 p.m. | 2 hours, 44 minutes ago
Description : A stack-based buffer overflow vulnerability exists in the tmUnblock.cgi endpoint of the Linksys WRT120N wireless router. The vulnerability is triggered by sending a specially crafted HTTP POST request with an overly long TM_Block_URL parameter to the endpoint. By exploiting this flaw, an unauthenticated remote attacker can overwrite memory in a controlled manner, enabling them to temporarily reset the administrator password of the device to a blank value. This grants unauthorized access to the router’s web management interface without requiring valid credentials.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2014-125123 - Kloxo SQL Injection Vulnerability

CVE ID : CVE-2014-125123
Published : July 31, 2025, 3:15 p.m. | 2 hours, 44 minutes ago
Description : An unauthenticated SQL injection vulnerability exists in the Kloxo web hosting control panel (developed by LXCenter) prior to version 6.1.12. The flaw resides in the login-name parameter passed to lbin/webcommand.php, which fails to properly sanitize input, allowing an attacker to extract the administrator’s password from the backend database. After recovering valid credentials, the attacker can authenticate to the Kloxo control panel and leverage the Command Center feature (display.php) to execute arbitrary operating system commands as root on the underlying host system. This vulnerability was reported to be exploited in the wild in January 2014.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2014-125124 - Pandora FMS Anyterm Remote Command Execution

CVE ID : CVE-2014-125124
Published : July 31, 2025, 3:15 p.m. | 2 hours, 44 minutes ago
Description : An unauthenticated remote command execution vulnerability exists in Pandora FMS versions up to and including 5.0RC1 via the Anyterm web interface, which listens on TCP port 8023. The anyterm-module endpoint accepts unsanitized user input via the p parameter and directly injects it into a shell command, allowing arbitrary command execution as the pandora user. In certain versions (notably 4.1 and 5.0RC1), the pandora user can elevate privileges to root without a password using a chain involving the artica user account. This account is typically installed without a password and is configured to run sudo without authentication. Therefore, full system compromise is possible without any credentials.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2014-125125 - A10 Networks AX Loadbalancer Path Traversal Vulnerability

CVE ID : CVE-2014-125125
Published : July 31, 2025, 3:15 p.m. | 2 hours, 44 minutes ago
Description : A path traversal vulnerability exists in A10 Networks AX Loadbalancer versions 2.6.1-GR1-P5, 2.7.0, and earlier. The vulnerability resides in the handling of the filename parameter in the /xml/downloads endpoint, which fails to properly sanitize user input. An unauthenticated attacker can exploit this flaw by sending crafted HTTP requests containing directory traversal sequences to read arbitrary files outside the intended directory. The files returned by the vulnerable endpoint are deleted from the system after retrieval. This can lead to unauthorized disclosure of sensitive information such as SSL certificates and private keys, as well as unintended file deletion.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2014-125126 - Apache Simple E-Document Unrestricted File Upload and Authentication Bypass

CVE ID : CVE-2014-125126
Published : July 31, 2025, 3:15 p.m. | 2 hours, 44 minutes ago
Description : An unrestricted file upload vulnerability exists in Simple E-Document versions 3.0 to 3.1 that allows an unauthenticated attacker to bypass authentication by sending a specific cookie header (access=3) with HTTP requests. The application’s upload mechanism fails to restrict file types and does not validate or sanitize user-supplied input, allowing attackers to upload malicious .php scripts. Authentication can be bypassed entirely by supplying a specially crafted cookie (access=3), granting access to the upload functionality without valid credentials. If file uploads are enabled on the server, the attacker can upload a web shell and gain remote code execution with the privileges of the web server user, potentially leading to full system compromise.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2024-34328 - Sielox AnyWare Open Redirect Vulnerability

CVE ID : CVE-2024-34328
Published : July 31, 2025, 3:15 p.m. | 2 hours, 44 minutes ago
Description : An open redirect in Sielox AnyWare v2.1.2 allows attackers to execute a man-in-the-middle attack via a crafted URL.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2025-29557 - ExaGrid EX10 Remote Authentication Bypass

CVE ID : CVE-2025-29557
Published : July 31, 2025, 3:15 p.m. | 2 hours, 44 minutes ago
Description : ExaGrid EX10 6.3 - 7.0.1.P08 is vulnerable to Incorrect Access Control in the MailConfiguration API endpoint, where users with operator-level privileges can issue an HTTP request to retrieve SMTP credentials, including plaintext passwords.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2013-10042 - FreeFTPd FTP PASS Command Stack-Based Buffer Overflow

CVE ID : CVE-2013-10042
Published : July 31, 2025, 3:15 p.m. | 2 hours, 12 minutes ago
Description : A stack-based buffer overflow vulnerability exists in freeFTPd version 1.0.10 and earlier in the handling of the FTP PASS command. When an attacker sends a specially crafted password string, the application fails to validate input length, resulting in memory corruption. This can lead to denial of service or arbitrary code execution. Exploitation requires the anonymous user account to be enabled.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2013-10043 - OAstium VoIP PBX Remote Code Execution Vulnerability

CVE ID : CVE-2013-10043
Published : July 31, 2025, 3:15 p.m. | 2 hours, 12 minutes ago
Description : A vulnerability exists in OAstium VoIP PBX astium-confweb-2.1-25399 and earlier, where improper input validation in the logon.php script allows an attacker to bypass authentication via SQL injection. Once authenticated as an administrator, the attacker can upload arbitrary PHP code through the importcompany field in import.php, resulting in remote code execution. The malicious payload is injected into /usr/local/astium/web/php/config.php and executed with root privileges by triggering a configuration reload via sudo /sbin/service astcfgd reload. Successful exploitation leads to full system compromise.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2013-10033 - Kimai SQL Injection Remote Code Execution

CVE ID : CVE-2013-10033
Published : July 31, 2025, 3:15 p.m. | 43 minutes ago
Description : An unauthenticated SQL injection vulnerability exists in Kimai version 0.9.2.x via the db_restore.php endpoint. The flaw allows attackers to inject arbitrary SQL queries into the dates[] POST parameter, enabling file write via INTO OUTFILE under specific environmental conditions. This can lead to remote code execution by writing a PHP payload to the web-accessible temporary directory. The vulnerability has been confirmed in versions including 0.9.2.beta, 0.9.2.1294.beta, and 0.9.2.1306-3.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2013-10034 - Kaseya KServer Unauthenticated File Upload Remote Code Execution Vulnerability

CVE ID : CVE-2013-10034
Published : July 31, 2025, 3:15 p.m. | 43 minutes ago
Description : An unrestricted file upload vulnerability exists in Kaseya KServer versions prior to 6.3.0.2. The uploadImage.asp endpoint allows unauthenticated users to upload files to arbitrary paths via a crafted filename parameter in a multipart/form-data POST request. Due to the lack of authentication and input sanitation, an attacker can upload a file with an .asp extension to a web-accessible directory, which can then be invoked to execute arbitrary code with the privileges of the IUSR account. The vulnerability enables remote code execution without prior authentication and was resolved in version 6.3.0.2 by removing the vulnerable uploadImage.asp endpoint.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2013-10035 - ProcessMaker Code Injection Vulnerability

CVE ID : CVE-2013-10035
Published : July 31, 2025, 3:15 p.m. | 43 minutes ago
Description : A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code via multiple endpoints, including appFolderAjax.php, casesStartPage_Ajax.php, and cases_SchedulerGetPlugins.php, by supplying crafted POST requests to parameters such as action and params. These endpoints fail to validate user input and directly invoke PHP functions like system() with user-supplied parameters, enabling remote code execution. The vulnerability affects both Linux and Windows installations and is present in default configurations of versions including 2.0.23 through 2.5.1. The vulnerable skin cannot be removed through the web interface, and exploitation requires only valid user credentials.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2013-10036 - Beetel Connection Manager Stack-Based Buffer Overflow Vulnerability

CVE ID : CVE-2013-10036
Published : July 31, 2025, 3:15 p.m. | 43 minutes ago
Description : A stack-based buffer overflow vulnerability exists in Beetel Connection Manager version PCW_BTLINDV1.0.0B04 when parsing the UserName parameter in the NetConfig.ini configuration file. A crafted .ini file containing an overly long UserName value can overwrite the Structured Exception Handler (SEH), leading to arbitrary code execution when the application processes the file.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2013-10037 - WebTester OS Command Injection Vulnerability

CVE ID : CVE-2013-10037
Published : July 31, 2025, 3:15 p.m. | 43 minutes ago
Description : An OS command injection vulnerability exists in WebTester version 5.x via the install2.php installation script. The parameters cpusername, cppassword, and cpdomain are passed directly to shell commands without sanitization. A remote unauthenticated attacker can exploit this flaw by sending a crafted HTTP POST request, resulting in arbitrary command execution on the underlying system with web server privileges.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2013-10038 - FlashChat Arbitrary File Upload Vulnerability

CVE ID : CVE-2013-10038
Published : July 31, 2025, 3:15 p.m. | 43 minutes ago
Description : An unauthenticated arbitrary file upload vulnerability exists in FlashChat versions 6.0.2 and 6.0.4 through 6.0.8. The upload.php endpoint fails to properly validate file types and authentication, allowing attackers to upload malicious PHP scripts. Once uploaded, these scripts can be executed remotely, resulting in arbitrary code execution as the web server user.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2013-10039 - GestioIP Command Injection Vulnerability

CVE ID : CVE-2013-10039
Published : July 31, 2025, 3:15 p.m. | 43 minutes ago
Description : A command injection vulnerability exists in GestioIP 3.0 commit ac67be and earlier in ip_checkhost.cgi. Crafted input to the 'ip' parameter allows attackers to execute arbitrary shell commands on the server via embedded base64-encoded payloads. Authentication may be required depending on deployment configuration.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2013-10040 - ClipBucket Remote Code Execution Vulnerability

CVE ID : CVE-2013-10040
Published : July 31, 2025, 3:15 p.m. | 43 minutes ago
Description : ClipBucket version 2.6 and earlier contains a critical vulnerability in the ofc_upload_image.php script located at /admin_area/charts/ofc-library/. This endpoint allows unauthenticated users to upload arbitrary files, including executable PHP scripts. Once uploaded, the attacker can access the file via a predictable path and trigger remote code execution.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Thu, 31 Jul 2025 15:15:00 GMT

read more

CVE-2025-54589 - Copyparty Reflected Cross-Site Scripting (XSS) Vulnerability

CVE ID : CVE-2025-54589
Published : July 31, 2025, 2:15 p.m. | 49 minutes ago
Description : Copyparty is a portable file server. In versions 1.18.6 and below, when accessing the recent uploads page at `/?ru`, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a `